Aesthetic Clinics
Your clients trust you with their health records, their images, and their face. The law treats all three very differently.
The Aesthetic Clinics Action Guide is a complete profession-specific compliance framework — covering how UK GDPR applies to everything you collect in clinic, including health history, treatment records, AI imaging tools, and before/after photography.
Before/after photographs are clinical records. AI skin analysis tools almost certainly process Special Category Data. Your booking platform holds health and allergy information. And the 8-year clinical negligence limitation period means your records obligations are significantly longer — and stricter — than almost any other profession in this suite.
Most compliance guidance does not cover aesthetic practice specifically. This guide does. Every section was written for clinics, nurses, and cosmetic practitioners — not adapted from generic small business advice.
What Is In This Guide
UK GDPR Applied to Aesthetic Practice
A complete profession-specific framework covering how data protection law applies to the specific data types aesthetic clinics collect, store, and process.
→Why health history, treatment records, and clinical photographs are each treated differently under the law
→When your booking platform becomes a data processor — and what that requires
→How the AI Decision Test applies to aesthetic consultations specifically
UK GDPR · DPA 2018 · Article 9 Special Category Data
AI Imaging Tools — Your Obligations
Covers the specific compliance requirements for AI skin analysis tools, before/after visualisation software, and any AI tool that processes client images.
→When a client photograph becomes biometric data under Article 9
→DPA requirements for skin analysis platforms — what to check and what to do if there is none
→AI-generated predicted outcome imagery: mandatory disclosure standard
→The AI Risk Check applied to image processing in clinic
Article 9 UK GDPR · ICO Biometric Guidance 2023 · ASA CAP Code
Retention Periods — The 8-Year Rule
Covers the clinical negligence limitation period and exactly how it applies to each type of record in your clinic. Most aesthetic practitioners do not know this period applies to them.
→8 years for treatment records and clinical notes — why and what it means in practice
→Different periods for different record types: photographs, consent forms, financial records
→What to do when a client asks you to delete their data during the retention window
→A completed retention schedule ready to implement
Limitation Act 1980 · ICO Records Retention Guidance
Working Documents — Logs & Breach Plan
The operational records you need to demonstrate compliance and respond correctly when something goes wrong.
→Client Record & Consent Log — track every client's consent status and retention deadline
→AI Tool Register — log every platform, its DPA status, and data location
→72-hour breach response plan — step by step, for when client data is compromised
→Privacy Notice template drafted specifically for aesthetic clinics
Articles 5(2), 28, 33 UK GDPR — Accountability & Breach Notification
THE FOUR CONSENT FORMS — INCLUDED AND READY TO USE
Four separated consent forms. One purpose each. Individual tick boxes throughout.
A single catch-all consent signature does not satisfy UK GDPR for aesthetic practice. Each processing activity — treatment, data, images, AI — requires its own specific consent. These forms give your clients individual tick boxes for each activity so their consent is specific, informed, and legally valid.
Form 1
Treatment Consent
Procedure-specific consent covering the treatment itself, including health history and contraindications.
Form 2
Data Consent
Covers storage of health records, treatment notes, and contact details — each with individual consent options.
Form 3
Photography Consent
Separate tick boxes for clinical records, social media, website use, and AI content tools — client by client.
Form 4
AI Processing Consent
Explicit Article 9 consent for AI skin analysis and imaging tools. Required before any AI tool processes client images.
What you get.
Profession-specific GDPR framework — covering health history, treatment records, clinical photographs, and AI imaging tools
8-year retention schedule — completed and ready to implement, with the legal reasoning behind each period
Four consent forms — client data, photography, general AI processing, and explicit Article 9 AI consent, each with individual tick boxes
Privacy Notice template — drafted for aesthetic clinics, with AI processing disclosures included
AI Tool Register — log every platform used in clinic, its DPA status, and data location
Client Record & Consent Log — track every client's consent status and retention deadline in one place
72-hour breach response plan — what to do if client data is compromised, step by step
AI Safe Starter Pack — the foundational seven documents, included free with this guide
Aesthetic Clinics Action Guide - £57
The profession-specific guide with completed examples, separated consent forms, retention policy, and a week-one action plan. The right starting point for every aesthetics practitioner.
Recommended Pathways
Aesthetics & Imaging Bundle — £129
Starter Pack, Aesthetic Clinics Action Guide, Risk & Data Pack + Companion Guide, and Platform DPA Checkers Vol 1 & 2. The only bundle built specifically for practitioners using AI imaging tools where biometric data obligations, clinical negligence retention, and deepfake criminal liability apply simultaneously.
Full Suite Bundle — £189
Everything in the Aesthetics & Imaging Bundle, plus the Website Compliance Pack, AI Safe Legal Pack + Companion Guide. and Templates — the complete compliance infrastructure including the DPA template, breach response plan, LIA framework, and June 2026 complaints procedure template. For any aesthetic clinic that wants a fully defensible legal position, not just an emerging-risk framework.